← back
CVE-2023-53930

ProjectSend r1605 Insecure Direct Object Reference File Download Vulnerability

CVSS 7.1 HIGHEPSS 0.3%CWE-639
Vexday Risk Score
21Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 7.1EPSS 0.3%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
17 Dec 2025Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
ProjectSend r1605 contains an insecure direct object reference vulnerability that allows unauthenticated attackers to download private files by manipulating the download ID parameter. Attackers can access any user's private files by changing the 'id' parameter in the download request to process.php.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Affected products
projectSend · projectSend

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://www.exploit-db.com/exploits/51400https://www.projectsend.org/https://www.vulncheck.com/advisories/projectsend-insecure-direct-object-reference-file-download-vulnerability